For 10ish years, sourceware.org's dns presence has been signed with dnssec, but using algorithms that are being deprecated. Apparently it's time to bump things up. This requires generating new keys and updating our own DNS as well as the .org registry. Will document the work required here.
/var/named: [root@server2 named]# dnssec-keygen -a ECDSAP256SHA256 -n ZONE sourceware.org Generating key pair. Ksourceware.org.+013+64003 [root@server2 named]# dnssec-keygen -a ECDSAP256SHA256 -f KSK sourceware.org Generating key pair. Ksourceware.org.+013+27852 [root@server2 named]# dnssec-dsfromkey Ksourceware.org.+013+64003.key sourceware.org. IN DS 64003 13 1 73963C89925B738A606A8D44A5DED8E558D030FA sourceware.org. IN DS 64003 13 2 7999DAFA92E8F5A47B90170D1645E220325E825432523B6889F4498546573159 [root@server2 named]# dnssec-dsfromkey Ksourceware.org.+013+27852.key sourceware.org. IN DS 27852 13 1 9305926FD5D0D91D49E44917226435EDB0794DFF sourceware.org. IN DS 27852 13 2 09B86E2AA44D22203DB4AE438FBA4B5B10B4A4BB854D79D2E4C1430E1CB0F345 The two "DS ... 13 2" entries need to replace those currently in sourceware.org's registrar, around the same time we reconfigure sourceware's own DNS server to switch to using these keys.
Sourceware BIND is now serving its zone with both sets of keys. Awaiting the registrar DS updates to finish the transition by removing the old pair from circulation.
The records have been updated at the registrar. Thanks.
Thanks a lot, it looks fine, and passes dnssec from polly.osci.io and https://dnsviz.net/d/sourceware.org/dnssec/